Merge branch 'main' into fix/stdio-clean

Rename the canonical function to `_assert_stdio_is_pipe_compatible`
with a deprecated alias `_warn_if_stdio_not_pipe` for backward
compat. Updates all 5 test import sites.

Fixes dangling monkeypatch targets in test_a2a_mcp_server_http.py
(which patches `_assert_stdio_is_pipe_compatible`; main's source
defined the old name, causing patches to silently no-op).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/scripts/gitea-merge-queue.py

@@ -314,29 +314,6 @@ def post_comment(pr_number: int, body: str, *, dry_run: bool) -> None:
     api("POST", f"/repos/{OWNER}/{NAME}/issues/{pr_number}/comments", body={"body": body})
 
 
-def remove_label(pr_number: int, label: str, *, dry_run: bool) -> None:
-    print(f"::notice::removing label '{label}' from PR #{pr_number}")
-    if dry_run:
-        return
-    # Gitea requires label ID, not name, for deletion.
-    # Multiple labels can share the same name with different IDs — remove all.
-    _, body = api("GET", f"/repos/{OWNER}/{NAME}/pulls/{pr_number}")
-    pr_labels = body.get("labels", []) if isinstance(body, dict) else []
-    removed = False
-    for lbl in pr_labels:
-        if lbl.get("name") == label:
-            label_id = lbl.get("id")
-            if label_id:
-                api(
-                    "DELETE",
-                    f"/repos/{OWNER}/{NAME}/issues/{pr_number}/labels/{label_id}",
-                    expect_json=False,
-                )
-                removed = True
-    if not removed:
-        print(f"::notice::label '{label}' not found on PR #{pr_number}")
-
-
 def update_pull(pr_number: int, *, dry_run: bool) -> None:
     print(f"::notice::updating PR #{pr_number} with base branch via style={UPDATE_STYLE}")
     if dry_run:
@@ -430,30 +407,7 @@ def process_once(*, dry_run: bool = False) -> int:
                 "deferring to next tick"
             )
             return 0
-        try:
-            merge_pull(pr_number, dry_run=dry_run)
-        except ApiError as exc:
-            # Merge failed (pre-receive hook, branch protection, etc.).
-            # Remove queue label so next tick picks the next PR.
-            msg = str(exc)
-            if "405" in msg or "not allowed to merge" in msg.lower():
-                hint = "pre-receive hook or branch protection blocked the merge"
-            elif "422" in msg or "Unprocessable" in msg:
-                hint = "branch protection required-status check failed"
-            elif "409" in msg or "conflict" in msg.lower():
-                hint = "merge conflict"
-            else:
-                hint = msg[:200]
-            remove_label(pr_number, QUEUE_LABEL, dry_run=dry_run)
-            post_comment(
-                pr_number,
-                (
-                    f"merge-queue: merge blocked ({hint}). "
-                    f"Label removed — re-add once the block is resolved."
-                ),
-                dry_run=dry_run,
-            )
-            return 0
+        merge_pull(pr_number, dry_run=dry_run)
         return 0
     return 0
 

.gitea/workflows/gitea-merge-queue.yml

@@ -48,12 +48,6 @@ jobs:
           REQUIRED_CONTEXTS: >-
             CI / all-required (pull_request),
             sop-checklist / all-items-acked (pull_request)
-          # NOTE: qa-review / security-review gates intentionally omitted.
-          # These gates permanently fail (mc#1111: SOP_TIER_CHECK_TOKEN missing
-          # PAT — token owner not in qa/security teams). Adding them to
-          # REQUIRED_CONTEXTS would strip the merge-queue label from every PR
-          # in the queue, breaking the queue for all contributors.
-          # Re-add these gates once mc#1111 is resolved.
           # Push-side required contexts. Checking CI / all-required (push)
           # explicitly instead of the combined state avoids false-pause when
           # non-blocking jobs (continue-on-error: true) have failed — those

.gitea/workflows/review-refire-comments.yml

@@ -18,10 +18,6 @@ permissions:
   pull-requests: read
   statuses: write
 
-concurrency:
-  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.issue.number || github.ref }}
-  cancel-in-progress: true
-
 jobs:
   dispatch:
     runs-on: ubuntu-latest

.gitea/workflows/sop-checklist.yml

@@ -70,7 +70,7 @@ name: sop-checklist
 # Cancel any in-progress runs for the same PR to prevent
 # stale runs from overwriting newer status contexts.
 concurrency:
-  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number || github.ref }}
+  group: ${{ github.repository }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
 # bp-required: yes  ← emits sop-checklist / all-items-acked (pull_request)

.gitea/workflows/sop-tier-check.yml

@@ -61,10 +61,6 @@ on:
   pull_request_review:
     types: [submitted, dismissed, edited]
 
-concurrency:
-  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
 jobs:
   tier-check:
     runs-on: ubuntu-latest

workspace-server/internal/handlers/external_connection.go

@@ -646,12 +646,8 @@ const externalOpenClawTemplate = `# OpenClaw MCP config — outbound tool path.
 # external machine today, pair with the Python SDK tab.
 
 # 1. Install openclaw CLI + the workspace runtime wheel:
-#    The version pin (>=0.1.999) ensures the "molecule-mcp" console
-#    script is present — it is what keeps the workspace ALIVE on canvas
-#    (register-on-startup + 20s heartbeat). Older versions only ship
-#    a2a_mcp_server which does not heartbeat.
 npm install -g openclaw@latest
-pip install "molecule-ai-workspace-runtime>=0.1.999"
+pip install molecule-ai-workspace-runtime
 
 # 2. Onboard openclaw against your model provider (one-time setup).
 #    --non-interactive needs an explicit --provider + --model so it